| Author |
Message
|
| DUJARDIN |
 Posted: Thu Aug 02, 2007 2:19 am Post subject: Cluster MQ in networks using NAT adresses |
 |
|
Newbie
Joined: 01 Aug 2007
Posts: 2
|
Hi all,
we try to connect two MQ in cluster mode (1 MQ Zos - full repository and 1 Mq windows partial repository) , MQ zos and MQ windows are in two differents networks , and we use NAT adresses .
the first connection between MQ is ok , the cluster repository is updated with definitions :
the MQ window cluster-receiver channel parameter update the MQ zos cluster-sender channel , and so , the MQ zos cluster sender CONNAME parameter is updated with the MQ window local adress , which is unknown of the zos network .
Is-it possible to connect cluster MQ in networks using NAT adresses ? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Aug 02, 2007 2:28 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
The general rule of thumb is to connect queue managers using hostnames, and hide all the ip addresses, routing and other magic down in the network layer where the wizards and the gnomes can make it work. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Aug 02, 2007 3:27 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The other general rule of thumb is that MQ clusters try to make themselves into a fully connected network. This makes crossing network addressing boundaries very complicated. That is, if you have QMGR A, B, and C on one network, and D, E and F on an other network. If the only network path there is between B and E, and the addresses of A,C D and F are not visible to each other... then you will have lots of channel errors on lots of QMGRs.
MQ, in general, doesn't care what "type" of address you give it - a hostname, a "real" IP address, a "virtual" IP adddres, a "NAT" address...
But it has to be an address that is useful. So the Windows CLUSRCVR should include a conname that is visible to the rest of the network.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Aug 02, 2007 3:33 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| jefflowrey wrote: |
| The other general rule of thumb is that MQ clusters try to make themselves into a fully connected network. |
That's a very valid point & one I'd overlooked. It's important that the network wizards understand that. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| DUJARDIN |
| Posted: Thu Aug 02, 2007 11:44 pm Post subject: |
|
|
Newbie
Joined: 01 Aug 2007
Posts: 2
|
| IBM support preconize to use DNS host name rather than IP address , and in each network , the host name is the MQ distant local address . |
|
| Back to top |
|
|
| David.Partridge |
| Posted: Wed Sep 05, 2007 3:47 am Post subject: |
|
|
Master
Joined: 28 Jun 2001
Posts: 249
|
If all the QMs are hiding behind NAT routers, then IMHO you are almost SOL (i.e. you can't make it work).
Your only real solution is to use the routers' VPN capability to set up a VPN between the systems.
You might be able to make it work by restricting port ranges used for the channel answer back, and specifically opening the routers to let those ports through to a specific internal IP, but then you aren't really using NAT any more.
Dave |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 05, 2007 3:57 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| David.Partridge wrote: |
If all the QMs are hiding behind NAT routers, then IMHO you are almost SOL (i.e. you can't make it work).
Your only real solution is to use the routers' VPN capability to set up a VPN between the systems.
You might be able to make it work by restricting port ranges used for the channel answer back, and specifically opening the routers to let those ports through to a specific internal IP, but then you aren't really using NAT any more.
Dave |
Looks like you are mixing nat and firewall here.
a) NAT will only affect hostname resolution
b) Firewall will work with ip and port.
So what you need is the hostname to resolve correctly on all sides of the network
You will also need the firewall to be open between each of the qmgrs in the cluster on the mqlistener port... bidirectional
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Sep 05, 2007 4:29 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Yikes!
If you got 2 clusters on 2 seperate networks my advice is to nominate one QM in each cluster to be a gateway to the other. Define convential SNDR/RCVR channels between the 2 gateways. Make sure each gateway has all the QM Alias defs defined (clustered of course) so that a message can find its way to Cluster A from anywhere in Cluster B, and the reverse. Make the gateway QMs highly available by running them on hardware clusters.
Based on the fun  I've had to date with 2 plain QMs talking to each other once you mix in firewalls and NATs and VPNs and who knows what else those network wizards got going on I can't imagine multiple QMs all jabbering at each other and trying to debug it when (not if!!!) you have problems.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Sep 05, 2007 7:04 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Don't forget to add MQIPT in the mix with those that bring security up to a new level of paranoia...
And remember there are a few pages on using MQIPT in a cluster... 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
